Camera: Check external camera v4l2 buffer size
V4L2 buffer size should fall within a reasonable range
like (0. width*height*2]. Check and return appropriate
status in case the size is not within this range.
Bug: 72261912
Test: Camera CTS
Change-Id: I1945dc734afb552ecb8d4ef74c9198eca8ce00e7
diff --git a/camera/device/3.4/default/ExternalCameraDeviceSession.cpp b/camera/device/3.4/default/ExternalCameraDeviceSession.cpp
index 7015bcb..2c03d81 100644
--- a/camera/device/3.4/default/ExternalCameraDeviceSession.cpp
+++ b/camera/device/3.4/default/ExternalCameraDeviceSession.cpp
@@ -2149,6 +2149,13 @@
}
uint32_t bufferSize = fmt.fmt.pix.sizeimage;
ALOGI("%s: V4L2 buffer size is %d", __FUNCTION__, bufferSize);
+ uint32_t expectedMaxBufferSize = kMaxBytesPerPixel * fmt.fmt.pix.width * fmt.fmt.pix.height;
+ if ((bufferSize == 0) || (bufferSize > expectedMaxBufferSize)) {
+ ALOGE("%s: V4L2 buffer size: %u looks invalid. Expected maximum size: %u", __FUNCTION__,
+ bufferSize, expectedMaxBufferSize);
+ return -EINVAL;
+ }
+ mMaxV4L2BufferSize = bufferSize;
const double kDefaultFps = 30.0;
double fps = 1000.0;
@@ -2296,6 +2303,12 @@
// TODO: try to dequeue again
}
+ if (buffer.bytesused > mMaxV4L2BufferSize) {
+ ALOGE("%s: v4l2 buffer bytes used: %u maximum %u", __FUNCTION__, buffer.bytesused,
+ mMaxV4L2BufferSize);
+ return ret;
+ }
+
if (buffer.flags & V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC) {
// Ideally we should also check for V4L2_BUF_FLAG_TSTAMP_SRC_SOE, but
// even V4L2_BUF_FLAG_TSTAMP_SRC_EOF is better than capture a timestamp now
diff --git a/camera/device/3.4/default/include/ext_device_v3_4_impl/ExternalCameraDeviceSession.h b/camera/device/3.4/default/include/ext_device_v3_4_impl/ExternalCameraDeviceSession.h
index 5315097..64134c5 100644
--- a/camera/device/3.4/default/include/ext_device_v3_4_impl/ExternalCameraDeviceSession.h
+++ b/camera/device/3.4/default/include/ext_device_v3_4_impl/ExternalCameraDeviceSession.h
@@ -108,6 +108,7 @@
static const int kMaxProcessedStream = 2;
static const int kMaxStallStream = 1;
+ static const uint32_t kMaxBytesPerPixel = 2;
protected:
@@ -319,6 +320,7 @@
std::mutex mV4l2BufferLock; // protect the buffer count and condition below
std::condition_variable mV4L2BufferReturned;
size_t mNumDequeuedV4l2Buffers = 0;
+ uint32_t mMaxV4L2BufferSize = 0;
// Not protected by mLock (but might be used when mLock is locked)
sp<OutputThread> mOutputThread;